b"Memorandum from the Office of the Inspector General\n\n\n\nNovember 20, 2007\n\nJohn E. Long, Jr., WT 7B-K\n\nFINAL REPORT \xe2\x80\x93 AUDIT 2007-11198 \xe2\x80\x93 REVIEW OF RISK ASSESSMENT\nPERFORMED ON PERSONALLY IDENTIFIABLE INFORMATION\n\n\n\nAttached is the subject final report for your review. This report does not include any\nrecommendations and is to be used for informational purposes only. Accordingly, no\nresponse is necessary.\n\nInformation contained in this report may be subject to public disclosure. Please advise\nus of any sensitive information in this report which you recommend be withheld.\n\nIf you have any questions, please contact Phyllis R. Bryan, Project Manager, at\n(865) 632-4043 or Jill M. Matthews, Director, Information Technology Audits, at\n(865) 632-4730. We appreciate the courtesy and cooperation received from your\nstaff during the audit.\n\n\n\n\nRobert E. Martin\nAssistant Inspector General\n (Audits and Inspections)\nET 3C-K\n\nPRB:SDB\nAttachment\ncc (Attachment):\n     Steven A. Anderson, SP 5A-C\n     William R. Brandenburg, Jr., MP 2B-C\n     Peyton T. Hairston, Jr., WT 7B-K\n     Tom D. Kilgore, WT 7B-K\n     Janice W. McAllister, EB 7A-C\n     Richard W. Moore, ET 4C-K\n     Emily J. Reynolds, OCP 1L-NST\n     OIG File No. 2007-11198\n\x0cReview of Risk Assessment Performed on\n Personally Identifiable Information (PII)\n\n\n\n        Audit 2007-11198\n        November 20, 2007\n\x0cSynopsis\n\n  \xc2\x8b   In summary,\n         summary we found the (1) risk assessment methodology was consistent with\n      National Institute of Standards and Technology (NIST) and Office of\n      Management and Budget (OMB) guidance, and (2) the conclusions reached\n      were reasonable.\n\n\n\n\n                                                                                2\n\x0cBackground\n\n  \xc2\x8b   OIG Audit 2007\n                 2007-10997,\n                      10997 Review of Temporary Shares for Sensitive Information\n                                                                        Information,\n      found 32 instances of PII not properly secured on temporary share drives thus\n      exposing the information to anyone with a TVA network ID.\n  \xc2\x8b   Information Services (IS) and Organization Security Officers (OSO) conducted\n      subsequent reviews of the Nuclear temporary share drives and found 169\n      additional instances of PII.\n  \xc2\x8b   In response to our findings, TVA management conducted a two-phase risk\n      analysis on PII found stored on temporary share drives to determine the\n      appropriate level of disclosure to individuals affected. Phase I reviewed the PII\n      found during the OIG audit, and Phase II reviewed the PII identified during the\n      IS/OSO review. Phases I and II utilized the same risk assessment methodology.\n  \xc2\x8b   TVA iissuedd a generall notification\n                                tifi ti on ththe PII exposure b\n                                                              butt d\n                                                                   determined,\n                                                                     t   i d b based\n                                                                                   d on\n      the risk assessment, individual notification was not needed.\n\n\n\n\n                                                                                          3\n\x0cBackground\n\n  \xc2\x8b   To determine the risk level for each occurrence of PII\n                                                         PII, TVA used the following\n      risk model:\n              Overall Risk = Weighted Threat Likelihood x Magnitude of Impact\n\n\n  \xc2\x8b   An Overall Risk Rating of:\n       \xe2\x80\x93 \xe2\x80\x9cLow\xe2\x80\x9d would not require individual notification.\n       \xe2\x80\x93 \xe2\x80\x9cModerate\xe2\x80\x9d\n          Moderate would not require individual notification unless there were\n         verifiable instances of data capture and probable intent to misuse data.\n       \xe2\x80\x93 \xe2\x80\x9cHigh\xe2\x80\x9d would require individual notification.\n\n\n\n\n                                                                                       4\n\x0cObjective, Scope & Methodology\n\n   Objective\n   \xc2\x8b   Review the risk assessment methodology used to evaluate PII identified\n       during OIG and IS reviews of temporary shares and determine if IS'\n       conclusions regarding\n                     g     g risk exposure\n                                    p      of PII were reasonable.\n\n\n   Scope & Methodology\n   \xc2\x8b   Interviewed IS personnel.\n                      p\n   \xc2\x8b   Performed a walkthrough of the process used by the IS PII Assessment\n       Team.\n   \xc2\x8b   Identified applicable criteria related to risk assessment and PII data breach\n       response.\n\n\n\n\n                                                                                       5\n\x0cObjective, Scope & Methodology\n\n   Scope & Methodology (cont\xe2\x80\x99d)\n   \xc2\x8b   Compared the risk assessment methodology to (1) NIST SP 800-30, Risk\n       Management Guide for Information Technology Systems and (2) OMB\n       g\n       guidance.\n   \xc2\x8b   Evaluated a sample of seven risk scores against supporting interview\n       documentation.\n   \xc2\x8b   Reperformed risk ranking calculations for (1) our sample and (2) all Phase I\n       interviews.\n   \xc2\x8b   Fieldwork was conducted between August and November 2007.\n   \xc2\x8b   This audit was performed in accordance with generally accepted\n       government auditing standards\n                            standards.\n\n\n\n\n                                                                                      6\n\x0cFinding\n  \xc2\x8b   In summary,\n         summary we determined the (1) risk assessment methodology was\n      consistent with NIST and OMB guidance, and (2) the conclusions reached were\n      reasonable.\n       \xe2\x80\x93   The Risk Model used (Overall Risk = Weighted Threat Likelihood x Magnitude of\n           Impact) is consistent with the NIST SP 800\n                                                   800-30\n                                                       30 guidance\n                                                           guidance. In addition,\n                                                                        addition this model is\n           consistent with OMB guidance which recommends using a risk-based approach to\n           determine whether notification of a breach is required.\n       \xe2\x80\x93   The criteria TVA developed for rating Threat Likelihood and Magnitude of Impact\n           appeared reasonable.\n                      reasonable\n       \xe2\x80\x93   TVA determined, based on the risk model, that none of the occurrences reached the\n           risk level of high which would have required individual notification. In our review of a\n           sample of the risk rating assignments, we noted one of the seven sampled was not\n           calculated correctly;y; however,, when the rating\n                                                           g was recalculated it did not change\n                                                                                             g the\n           overall risk rating for that occurrence. Therefore, we believe the conclusions reached\n           based on the risk ratings and methodology used were reasonable.\n\n\n\n\n                                                                                                      7\n\x0c"